Description
Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
Published: 2026-06-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in hardcoded AES passphrases embedded within the Securly Chrome Extension’s securly.min.js file. These plaintext keys are used to decrypt crisis alert keyword data and intervention site data, thereby allowing an attacker to compromise the confidentiality of such sensitive information. The flaw represents an improper handling of cryptographic keys, granting potential exposure of operational details that could affect user privacy and security.

Affected Systems

The Securly Chrome Extension, version 3.0.7, is affected. No other versions or product variants are listed.

Risk and Exploitability

The EPSS score is < 1%, and the vulnerability is not on CISA’s KEV list, indicating no known high‑profile exploitation activity yet. However, the presence of plaintext decryption keys in the client‑side code provides a direct avenue for attackers who can analyze or tamper with the extension in a user’s browser. The likely attack vector is local code assessment or malicious injection into the extension’s context. With a CVSS score of 7.3, the risk is considered high, but it could be escalated if the extension is compromised.

Generated by OpenCVE AI on June 4, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Securly Chrome Extension to the latest available version that removes the hardcoded AES passphrases.
  • If the latest version is unavailable, disable or uninstall the extension and avoid using it in environments that handle crisis alert or intervention data.
  • Notify Securly support to request a secure build or guidance on removing the embedded keys if you must continue using the current extension.

Generated by OpenCVE AI on June 4, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.cert.org/vuls/id/595768 cve-icon cve-icon
History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Securly securly Chrome Extension
Vendors & Products Securly securly Chrome Extension

Thu, 04 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
CWE-312

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Securly
Securly securly
Weaknesses CWE-798
CPEs cpe:2.3:a:securly:securly:3.0.7:*:*:*:*:chrome:*:*
Vendors & Products Securly
Securly securly

Thu, 04 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
CWE-798

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
CWE-798

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
Title CVE-2026-8876
References

Subscriptions

Securly Securly Securly Chrome Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-04T14:20:24.250Z

Reserved: 2026-05-18T20:27:18.596Z

Link: CVE-2026-8876

cve-icon Vulnrichment

Updated: 2026-06-04T14:20:21.014Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T19:16:39.233

Modified: 2026-06-04T18:42:12.960

Link: CVE-2026-8876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:11:27Z

Weaknesses
  • CWE-256

    Plaintext Storage of a Password

  • CWE-312

    Cleartext Storage of Sensitive Information

  • CWE-798

    Use of Hard-coded Credentials